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PATENT 
2685/5681 Goldschlag 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

INVENTORS: GOLDSCHLAG, David M. 

STUBBLEBINE, Stuart G. 
SYVERSON, Paul F. 

FILING 

DATE: Herewith 

TITLE: SYSTEM AND METHOD 

FOR ELECTRONIC 
TRANSACTIONS 

ASSISTANT COMMISSIONER FOR PATENTS 
Washington, DC 20231 

PRELIMINARY AMENDMENT 

SIR: 

This Preliminary Amendment accompanies a continuation application filed under 37 
U.S.C. 1.53(b), based upon pending U.S. application Ser. No. 09/025,802, filed on February 
19, 1998. The applicants respectfully request that the Office enter the amendments presented 
herein. 

In the Title: 

Please change the title to -SYSTEM AND METHOD FOR VOTING-- 

In the Field of the Invention: 

Please replace the field of the invention with: 

-The field of the invention is voting, and in particular anonymous electronic voting 
that cannot be linked to a particular voter, and where none of a series of votes from a single 
voter can be linked to each other.— 
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GROUP 

ART UNIT: TBD 
EXAMINER: TBD 



In the Drawings: 

Please amend the drawings as indicated in red ink on the four attached sheets showing 
figures 2 through 5. 



In the Abstract of the Invention: 

Please replace the Abstract of the Invention with: 

-A system and method for electronic voting, including initialization, audit and trusted 
recovery features. A vote request message is received from a voter, including an unblinded 
validated vote certificate, and a blinded unvalidated vote certificate. If the unblinded validated 
vote certificate is determined to be legitimate, then a vote is recorded, and the blinded 
unvalidated vote certificate is validated to obtain a blinded, validated vote certificate that is 
sent to the voter. An audit protocol can be used to further verify the legitimacy of any vote, 
and a voter can recover from a broken connection by replaying a voting protocol run.~ 

In the Claims: 

Please amend the claims as follows: 
1 . A method for initializing [a series ofjan electronic voting t ransactions, comprising[ 
the steps of]: 

a. receiving [an initialization] a voter registration request message that 



ii. a blinded unvalidated vote certificate to be validated; 

b. determining if the vote authorization data is valid; 

c. if the vote authorization data is valid, then validating the blinded unvalidated 
vote certificate to obtain a blinded validated vote certificate; and 

d. sending [an initialization] registration response message to a [registranfj voter 
that includes the blinded validated vote certificate atomically bound to the 
[initialization] registration r equest messagef received in step a]. 



atomically binds 



i. 
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2. The method of claim 1, further comprising the step of receiving a [registration]voter 
acknowledgment message from a [registrant] voter acknowledging that the [registrantj voter 
has received the [initializationj registration response message. 



3. The method of claim 1 , wherein the [initializationj registration request message 
includes a nonce, a session key and a blinding factor applied to the nonce, and further 
comprising the step of storing the [initializationj registration request message and the 
[initializationj registration response message in a recovery database. 

4. A method for recovering from an interruption in initializing an electronic voting 
transaction, comprising the steps of: 

a. receiving a first [initialization] registration request message from a 
[registrantj voter that includes a nonce, a session key, and a blinding factor applied to the 
nonce, and that atomically binds 

i. vote authorization data, and 

ii. a blinded unvalidated vote certificate to be validated; 

b. storing the [initialization] registration request message in a recovery database; 

c. determining if the vote authorization data is valid; 

d. if the vote authorization data is valid, then validating the blinded unvalidated 
vote certificate to obtain a blinded validated vote certificate; 

e. sending a first [initiarizationj registration response message to a 
[registrantjvoter that includes the blinded validated vote certificate atomically 
bound to the [initializationj registration request message[ received in step a]; 

f. storing the first [initializationj registration response message in a recovery 
database; 

g. receiving a second [initializationj registration request message; 

h. determining if the second [initializationj registration request message has the 
same nonce, session key, and blinding factor applied to the nonce as the first 
[initializationj registration request message stored in the recovery database; and 

i. if the second [initializationj registration request message has the same nonce, 
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session key, and blinding factor applied to the nonce as the first 
[initializationj registration request message, then 

1 . retrieving the first [initialization] registration response message from 
the recovery database; and 

2. sending the first [initialization] registration response message to the 
[registranfjyoter. 

5. A method for performing an electronic voting t ransaction, comprising the steps of: 

a. receiving a voting transaction request message that atomically binds 

i. an unblinded vote certificate, and 

ii. a blinded unvalidated vote certificate to be validated; 

b. determining if the unblinded vote certificate is valid; and 

c. if the unblinded vote certificate is valid, then performing a vote transaction 
response that includes: 

i. validating the blinded unvalidated vote certificate to obtain a 
validated blinded vote certificate, and 

ii. sending the validated blinded vote certificate atomically bound 
to the voting t ransaction request message to a voting transaction 
response recipient in a vote t ransaction response message. 

6. The method of claim 5, wherein the [transaction response further includes making 
available a product to a partyj vote certificate indicates a yes or a no vote . 

7. The method of claim 5, wherein the [transaction response further includes obtaining 
payment for a product] parity of the certificate indicates a yes or a no vote . 

8. The method of claim 5, further comprising the step of receiving a transaction 
acknowledgment message from a [registrant acknowledging that the] transaction response 
recipient acknowledging that the transaction response recipient has received the voting 
transaction response message. 
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9. The method of claim 5, further comprising the step of storing the voting transaction 
request message and the voting t ransaction response message in a recovery database. 



10. A method for recovering from an interruption in an electronic voting transaction, 
comprising the steps of: 

a. receiving a first voting t ransaction request message that includes a session key, 
a nonce and a blinding factor applied to the nonce, and that atomically binds 

i. an unblinded vote certificate, and 

ii. a blinded unvalidated vote certificate to be validated; 

b. storing the first voting t ransaction request message in a recovery database; 

c. determining if the unblinded vote certificate is valid; and 

d. if the unblinded vote certificate is valid, then performing a voting t ransaction 
response that includes 

i. validating the blinded unvalidated vote certificate to obtain a 
validated blinded vote certificate, 

ii. sending the validated blinded vote certificate atomically bound 
to the voting t ransaction request message to a voting transaction 
response recipient in a first voting t ransaction response 
message, and 

iii. storing the first voting t ransaction response message in a 
recovery database; 

e. receiving a second voting t ransaction request message that includes a session 
key, a nonce and a blinding factor applied to the nonce, and that atomically 
binds 

i. an unblinded voting certificate, and 

ii. a blinded unvalidated voting certificate to be validated; 

f. determining if the second voting t ransaction request message has the same 
nonce, session key, and blinding factor applied to the nonce as the first voting 
transaction request message stored in the recovery database; and 



g. if the second voting t ransaction request message has the same nonce, session 
key, and blinding factor applied to the nonce as the first voting transaction 
request message, then 

i. retrieving the first voting transaction response message from the 
recovery database, and 

ii. sending the first voting t ransaction response message to the voting 
transaction response recipient. 

11. A method for auditing an electronic voting t ransaction, comprising the steps of: 

a. receiving a voting t ransaction request message that atomically binds 

i. an unblinded vote certificate. 

ii. a blinded unvalidated vote certificate to be validated, and 

iii. blinded vote audit data; 

b. sending an vote audit request message atomically bound to the vote t ransaction 
request message to [an audit recipientj a voter ; 

c. receiving an vote audit response message atomically bound to the vote audit 
transaction message, wherein the vote audit response message includes vote 
audit response data; 

d. determining if the blinded vote audit data is valid using the vote audit response 
data. 



1 2. The method of claim 1 1 , wherein the vote audit response data is determined to be 
valid if 

i. the vote audit response data corresponds to the blinded vote audit data 
received in the voting transaction request message, and 

ii. the vote audit response data is legitimate. 

13. An apparatus for initializing a series of electronic voting t ransactions, comprising: 

a. a processor; and 

b. a memory [that stores] storing instructions adapted to be executed by said 
processor to, 
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i. receive an [initialization] voter registration request message that 
atomically binds vote authorization data and a blinded unvalidated vote 
certificate to be validated; 

ii. determine if the vote authorization data is valid; 

iii. if the vote authorization data is valid, then to validate the blinded 
unvalidated vote certificate to obtain a blinded validated vote 
certificate; and 

iv. send [an initialization] a voter registration response message to a 
[registrant] voter that includes the blinded validated vote certificate 
atomically bound to the [initialization] voter registration request 
message, 

said memory coupled to said processor. 

14. The apparatus of claim 13, [further comprising a port adapted to be coupled to a 
network, said port coupled to said memory and said processorj wherein the certificate 
indicates a yes or no vote . 

15. An apparatus for performing an electronic voting t ransaction, comprising: 

a. a processor; and 

b. a memory [that stores] storing instructions adapted to be executed by a 
processor to 

i. receive a voting t ransaction request message that atomically binds an 
unblinded vote certificate and a blinded unvalidated vote certificate to 
be validated; 

ii. determine if the unblinded vote certificate is valid; and 

iii. if the unblinded vote certificate is valid, then to perform a vote 
transaction response that validates the blinded unvalidated vote 
certificate to obtain a validated blinded vote certificate, and sends the 
validated blinded vote certificate atomically bound to the voting 
transaction request message to a [transaction response recipient] voter 
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in a voting transaction response message, 
said memory coupled to said processor. 

16. The apparatus of claim 15, [further comprising a port adapted to be coupled to a 
network, said port coupled to said memory and said processor] wherein the parity of the 
certificate indicates a yes or a no vote . 

17. An apparatus for auditing an electronic voting t ransaction, comprising: 

a. a processor; and 

b. a memory [that stores] storing instructions adapted to be executed by said 
processor to 

i. receive a transaction request message that atomically binds an 
unblinded vote certificate and a blinded unvalidated vote certificate to 
be validated and blinded vote audit data; 

ii. send an vote audit request message atomically bound to the voting 
transaction request message to [an audit recipient] voter ; 

iii. receive a[n] vote audit response message atomically bound to the vote 
audit transaction message, where the vote audit response message 
includes vote audit response data; and 

iv. determine if the blinded vote audit data is valid using the vote audit 
response data, 

said memory coupled to said processor. 

1 8. The apparatus of claim 1 7, [further comprising a port adapted to be coupled to a 
network, said port coupled to said processor and said memory] wherein the certificate 
indicates a ves or no vote . 

19. An apparatus for recovering from an interruption in an electronic voting transaction, 
comprising: 

a. a processor; and 
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b. a memory [that stores] storing instructions adapted to be executed by said 
processor to 

i. receive a first voting t ransaction request message that includes a 
session key, a nonce and a blinding factor applied to the nonce, and 
that atomically binds an unblinded vote certificate and a blinded 
unvalidated vote certificate to be validated; 

ii. store the first voting t ransaction request message in a recovery 
database; 

iii. determine if the unblinded vote certificate is valid; 

iv. if the unblinded vote certificate is valid, then performing a voting 
transaction response that validates the blinded unvalidated vote 
certificate to obtain a validated blinded vote certificate, sends the 
validated blinded vote certificate atomically bound to the voting 
transaction request message to a voting t ransaction response recipient 
in a first voting t ransaction response message, and stores the first 
voting transaction response message in a recovery database; 

v. receive a second voting t ransaction request message that includes a 
session key, a nonce and a blinding factor applied to the nonce, and 
that atomically binds an unblinded vote certificate and a blinded 
unvalidated vote certificate to be validated; 

vi. determine if the second voting t ransaction request message has the 
same nonce, session key, and blinding factor applied to the nonce as 
the first voting t ransaction request message stored in the recovery 
database; 

vii. if the second voting t ransaction request message has the same nonce, 
session key, and blinding factor applied to the nonce as the first voting 
transaction request message, then to retrieve the first voting t ransaction 
response message from the recovery database and send the first voting 
transaction response message to the voting t ransaction response 
recipient, 
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said memory coupled to said processor. 

20. The apparatus of claim 19, [further comprising a port adapted to be coupled to a 
network, said port coupled to said processor and said memoryj wherein the parity of the 
certificate indicates a yes or a no vote. . 

21 . A medium [that stores] storing instructions adapted to be executed by a processor to 
perform the steps of: 

a. receiving a[n initialization] voter registration request message that atomically 
binds 

i. vote authorization data, and 

ii. a blinded unvalidated vote certificate to be validated; 

b. determining if the vote authorization data is valid; 

c. if the vote authorization data is valid, then validating the blinded unvalidated 
vote certificate to obtain a blinded validated vote certificate; and 

d. sending a[n initialization] voter registration response message to a [registrant] 
voter that includes the blinded validated vote certificate atomically bound to 
the [initialization] voter registration request message[ received in step a]. 

22. A medium [that stores] storing instructions adapted to be executed by a processor to 
perform the steps of: 

a. receiving a voting transaction request message that atomically binds 

i. an unblinded vote certificate, and 

ii. a blinded unvalidated vote certificate to be validated; 

b. determining if the unblinded vote certificate is valid; and 

c. if the unblinded vote certificate is valid, then performing a voting t ransaction 
response that includes 

i. validating the blinded unvalidated vote certificate to obtain a validated 
blinded vote certificate, and 

ii. sending the validated blinded vote certificate atomically bound to the 
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voting transaction request message to a voting t ransaction response 
recipient in a voting transaction response message. 



23. A medium [that stores] storing instructions adapted to be executed by a processor to 
perform the steps of: 

a. receiving a voting t ransaction request message that atomically binds 

i. an unblinded vote certificate. 

ii. a blinded unvalidated vote certificate to be validated, and 

iii. blinded vote audit data; 

b. sending a[n] vote audit request message atomically bound to the voting 
transaction request message to a[n audit recipienfjvoter; 

c. receiving a[n] vote audit response message atomically bound to the vote audit 
transaction message, wherein the vote audit response message includes vote 
audit response data; 

d. determining if the blinded vote audit data is valid using the vote audit response 
data. 

24. A system for performing an electronic voting transaction, comprising: 

a. means for receiving a voting transaction request message that atomically binds 

i. an unblinded vote certificate, and 

ii. a blinded unvalidated vote certificate to be validated; 

b. means for determining if the unblinded vote certificate is valid; and 

c. means for validating the blinded unvalidated vote certificate to obtain a 
validated blinded vote certificate; and 

d. means for sending the validated blinded vote certificate atomically bound to 
the voting transaction request message to a [transaction response 
recipient]yoter in a voting t ransaction response message. 

25. The system of claim 24, further comprising means for auditing an electronic voting 
transaction. 
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26. The system of claim 24, further comprising means for initializing a series of electronic 
voting t ransactions. 



27. The system of claim 24, further comprising means for recovering from an interruption 
in an electronic voting t ransaction. 



The applicants respectfully request the entry of the amendments presented herein, and 
earnestly solicit a notice of allowance. The examiner is invited to contact the undersigned at 
(202) 220-4250 with any questions or comments. 



Date : ^U&o? % ,1* <?« 



KENYON & KENYON 
1500 K Street, N.W., Suite 700 
Washington, DC 20005 
Phone: (202) 220-4200 
Facsimile: (202) 220-4201 



CONCLUSION 




Respectfully submitted, 



TjaryS. Morris 
(Reg. No. 40,735) 
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SYSTEM AND METHOD FOR ELECTRONIC TRANSACTIONS 

FIELD OF THE INVENTION 

The field of this invention is electronic 
4} transactions, and in particular to providing electronic 

5 transactions that cannot be linked to a party to the 

transaction, even when more than one related transaction 
occur . 

= BACKGROUND OF THE INVENTION 

Electronic transactions should be convenient, 
"10 reliable, accurate and resistant to fraud. Certain 

electronic transactions should also protect the privacy of 
at least one party to the transaction. For example > a 
customer purchasing a service from a vendor over a network 
should be able to pay for the service in an electronic 
15 transaction without revealing their identity. 

The need for one party to a transaction to remain 
private (e.g., anonymous) can conflict with the interests 
of another party to the transaction. For example, a vendor 
needs assurance that the an electronic transaction is 
20 reliable, e.g., that the customer in the transaction will 

pay for the services rendered by the vendor. Typically, a 
vendor uses information about a customer to assess the 
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vendor's risk in engaging in the transaction, and to track 
down delinquent customers when necessary. A good 
electronic transaction system would accommodate both the 
privacy needs of one party and the reliability needs of 
5 another party. 

Known electronic transaction systems generally fail 
to accommodate both privacy interests and reliability 
interests of different parties, typically sacrificing one 
in favor of the other. One known system, an anonymizer, 
10 protects the identity of a customer from being disclosed 

to a vendor, but the customer identity is known to the 
; C anonymizer, and a customer's activity can be profiled 

y across vendors. See Community Connexion, Inc. 

Z\ <http://www.anonymizer.com>. In a sense, the anonymizer 

2i5 is worse than a single vendor, because a single vendor can 

typically only profile a customer's behavior with respect 
S to the vendor itself. On the other hand, the anonymizer 

f7 can profile customer transactions across several vendors, 

0 not just one. The customer is thus forced to place 

20 considerable trust in the anonymizer, which if 

unwarranted, could lead to a substantial breach of the 
customer's privacy. 

Another known system uses electronic cash ("e-cash"), 
wherein a customer obtains an electronic certificate that 
25 is redeemable at a vendor for the vendor's product. See D. 

Chaum, Untraceable Electronic Mail. Return- Addresses . and 

Digital Pseudonyms . CACM 24, 2, Feb. 1981, pp. 84-88; D. 

Chaum, Security Without " Identification: Transaction 

Systems to Make Rig Brother Obsolete, CACM (28,10), 

30 October 1985, pp. 1030-1044; D. Chaum, A. Fiat, and M . 
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Naor, Untraceable Electronic Cash , CRYPTO 8 8 , pp. 319-327; 
E. Brickell, P. Gemmell, and D. Kravitz, Trustee -based 
Tracing Extensions to Anonymous Cash and the Making of 
Anonymous Change . Proceedings of the Sixth Annual ACM-SIAM 
5 Symposium on Discrete Algorithms, pp. 457-466, San 

Francisco, California, 22-24 January 1995; M. Franklin and 

M. Yung, Towards Provably Secure Efficient Electronic 

Cash , Columbia University CS Technical Report, TR CUCS- 
018-92, 1992; and D. Simon, Anonymous Communication and 
10 Anonymous Cash . CRYPT096, pp. 61-73. One known system 

uses credit card information to carry out an electronic 

£ transaction. Secure Electronic Transaction (SET) 

|i| Specification , August 1, 1996. As used herein, the term 

Zj "product" includes a good and/or a service. Providing a 

H5 service includes providing any kind of information. The 

electronic certificate is meant to be spent only once, and 
S can be verified by the vendor before the vendor provides 

f" the product . One type of fraud to which these known 

O systems can be vulnerable is the multiple spending of a 

20 certificate. Elaborate safeguards have been designed to 

detect when a certificate submitted for a product has 
already been spent . Many of these safeguards involve 
revealing the identity of the customer, thereby violating 
the customer's privacy. 
25 A known technique for protecting the anonymity of a 

certificate owner is called blinding. See D. Chaum, 
Untraceable Electronic Mail. Return Addresses, and Digital 
Pseudonyms . CACM 24, 2, Feb. 1981, pp. 84-88; D. Chaum, 
Security Without Identification: Transaction Systems to 
30 Make Big Brother Obsolete . CACM (28,10), October 1985, pp. 
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1030-1044; and D. Chaum, A. Fiat, and M. Naor, Untraceable 
Electronic Cash . CRYPT08 8 , pp. 319-327. A customer chooses 
a nonce and a blinding factor. A nonce is a piece of data 
that, for practical purposes, is used only once. For 
5 example, a random number can be a nonce. Both the nonce 

and the blinding factor are known only to the customer. 
The customer applies the blinding factor to the nonce 
(e.g., by multiplying the nonce by the blinding factor), 
and submits the blinded nonce to a certification authority 
10 along with a payment. In exchange for the payment, the 

^ certification authority signs the blinded nonce to obtain 

'0 a blinded certificate. The blinded certificate is 

y returned to the customer. When the customer wishes to 

Zl make a purchase, the customer unblinds the certificate 

^5 (e.g., by dividing the certificate by the blinding factor) 

d; to obtain an unblinded certificate. Because only the 

m customer knows the blinding factor, no other party can 

f7 correlate the unblinded certificate with the blinded 

O certificate. The customer submits the unblinded 

'20 certificate along with the nonce to a vendor with a 

request for the desired product. The vendor can verify the 
validity of the unblinded certificate using the nonce upon 
which it is based using techniques known in the art. 
Because of the commutat ivi ty of modular arithmetic and the 
25 mathematical nature of the signing process, the signed 

nonce corresponds to the unblinded certificate. If the 
unblinded certificate is determined to be valid, then the 
vendor makes the product available to the customer. 
Otherwise, the product is not made available to the 
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Although the use of blinding alone protects the 
anonymity of the customer, it is not sufficient to 
safeguard against certain types of fraud. For example, a 
customer can submit a blinded nonce to the certification 
5 authority along with $20, receive the blinded certificate, 

unblind it, and then submit the unblinded certificate as 
being worth $100. This is possible because the 

certification authority never really sees the actual 
certificate it is signing because of the blinding factor. 
10 Thus, although blinding alone protects privacy, it does 

, = not by itself provide adequate reliability. 

=£) The problem of reliably linking a denomination to a 

iui certificate is addressed by the use of hash functions. A 

l*\ hash is a one-way function whereby it is easy to obtain an 

""-45 output from a given input, but is very difficult to derive 

. ; " an input from a given output. To obtain a certificate that 

S only a particular customer can use, the customer presents 

H 4 a certification authority (e.g., a bank) with a payment 

p and a hashed nonce. The hash function used by the customer 

'*2Q is also known by the bank. The bank signs the hashed 

nonce linked to a denomination to obtain a certificate, 
which is returned to the customer. To use the certificate, 
the customer redeems the certificate, the nonce and the 
denomination to a vendor, who in turn presents the 
25 certificate, the nonce and the denomination to the bank. 

The bank verifies the certificate using a publicly 
available verification key. If the certificate is verified 
as being valid, then the bank authorizes the vendor to 
provide the customer with the requested product, and 
30 credits the vendor's account. If the signature and the 
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certificate do not correspond, then the bank notifies the 
vendor that the certificate is invalid. After the 
certificate is spent, the bank must record the hashed 
random number to prevent it from being spent again. The 
5 use of hash functions alone is reliable because in order 

to fraudulently spend a certificate, a third party would 
have to deduce the nonce from the certificate. This is 
made practically impossible by using a hash function to 
derive the certificate from the nonce. However, since the 
10 customer's certificate is known to the bank both during 

the initial certification process and the redemption 

;fi process, the identity (and thus the privacy) of the 

f,\ customer can be compromised by the bank. 

Balancing privacy and reliability interests across 

,= |J5 more than one transaction is challenging because a 

5 : transaction which is reliable and private alone can often 

be correlated with other transactions from the same 
customer to compromise privacy, reliability, or both in 

□ known systems. Thus, a series of transactions could be 

!20 unreliable and compromise privacy. As used herein, a 

series of transactions is meant to include both a single 
transaction, as well as more than one transaction. Privacy 
and reliability should be provided for both the case of a 
single transaction, and more than one related transaction. 

25 An example of a series of transactions is a 

subscription service, e.g., paying a fee for a password 
that can be used to repeatedly access a service for a 
predetermined amount of time and/or use. A subscription 
service is one in which the customer pays an initial 

30 amount to receive a product from a vendor in installments. 
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Note that in the degenerate case, a subscription service 
includes only a single transaction. In certain known 
electronic commerce systems, the customer makes an initial 
payment to a subscription vendor, who in return gives the 
5 customer means (such as a password) to periodically obtain 

the vendor's product over a predetermined period of time. 
Subscriptions are commonly sold on an individual basis. 
Under such a policy, for example, two individuals seeking 
a subscription should pay the vendor separately; each 

10 would then receive her own subscription and password. If 

one individual pays for a subscription and shares her 
password with a second person, then two people are able to 
receive the subscription vendor's product while only one 
is paying for it. This problem of sharing distinguishes an 
; 1|5 e-commerce system suitable for subscription services from 

known systems such as e-cash. In e-cash systems, a 
m certificate is meant to be fungible and readily 

transferable. In an e-commerce system capable of 

supporting subscription services, such transferability 

20 must be prevented or curtailed. 

To counter the sharing' s threat to the reliability of 
a subscription transaction, the subscription vendor has a 
strong interest in monitoring the subscribing customer's 
behavior to ensure that the customer is not sharing her 

25 subscription with others who have not paid the vendor. 

For example, unusually high activity in a single account 
could indicate fraud, e.g., that many different 
individuals are making use of a single subscription. On 
the other hand, the customer may prefer to have her 

30 privacy respected and not to have her activity monitored. 
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For example, a customer subscribing to a database service 
may wish to keep the searches she makes private. Likewise, 
a customer ordering pay-per-use movies may wish to keep 
the identity of the movies he orders confidential. These 
privacy interests should be accommodated by a good 
electronic transaction system in a subscription-type 
setting. Known techniques exist for issuing pseudonyms, 
thus linking customer behavior to the pseudonym rather 
than to the customer. However, these still allow profiles 
(e.g., of customer behavior) to be constructed if even one 
pseudonymous transaction is broken or accidentally 
identifies the customer. Then, all of the customer's past 
and future behavior can be linked to that customer. A 
better system for electronic transactions would not suffer 
from this limitation. 

A good electronic transaction system would 
accommodate both the needs of the customer for privacy and 
of the vendor for reliability in a single electronic 
transaction, and in more than one related transaction, in 
part by preventing sharing. 
SUMMARY OF THE INVENTION 

The present invention advantageously uses the 
exchange of blinded certificates to provide a reliable, 
private system for electronic transactions that deters the 
illicit sharing of certificates for such transactions. 
Rather than operating like e-cash, in which a payment 
vehicle is redeemed for a product (as used herein, the 
term "product" means goods and/or services) in a way that 
changes the funds available to the customer, the present 
invention acts more like a membership pass. That is, the 
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customer starts with a certificate, gains access to a 
product in exchange for the certificate, and ends with 
both the product and a certificate. Unlike e-cash, the 
value of the customer's use of certificates in accordance 
5 with the present invention is related to the amount of 

time (or number of certificates) remaining in the 
customer's contract (e.g., membership or subscription 
term) . Theoretically, this could allow the customer to be 
profiled by tracking the number of certificates used (or 

10 available for use) by the customer. However, this would 

not be a practical problem for applications where, for 
example, thousands of people subscribe to something that 
can only be used 5 times. Indeed, knowing that a customer 
has, say, three certificate redemptions left cannot reveal 

Ml 5 very much to a vendor. Audit and trusted recovery methods 

are provided to enhance the security and robustness of the 
present invention. 

The present invention is private and reliable both 
for a single electronic transaction, and a series of 

20 related transactions. In accordance with an embodiment of 

the present invention, a first party (e.g., a customer) 
registers with a registrar to obtain an initial validated 
certificate. In one embodiment, the registrar is a second 
party. In subsequent transactions, a first party (e.g., a 

25 customer) submits a validated certificate along with an 

unvalidated certificate to a third party (e.g., a vendor) 
for each transaction. The third party tests the validity 
of the certificate purported by the first party to be 
validated. If it proves to be valid, the third party 

30 performs a response action (e.g., provides a service) and 
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ordinarily validates the unvalidated certificate and 
returns it to the first party to be used as the validated 
certificate for the next transaction. Alternatively, the 
registrar (if different from the third party, then in 
5 cooperation with the third party) can declare an audit, 

and determine if the first party has presented its 
certificate fraudulently. These exchanges are atomic in 
nature, meaning that they can be reliably correlated with 
each other (e.g., a practically unforgeable secret session 

10 .key is sent along with each related message in the 

exchange, guaranteeing that the messages are part of the 

=£! same transaction) . 

i~j In an alternative embodiment, the registrar is a 

vendor. 

'W Hashing of random numbers (i.e., nonces) and the 

technique of blinding are used in the present invention to 
•£ provide unlinkable certificates. As known in the art, the 

I— technique of blinding is used differently, e.g., to 

Q provide pseudonyms in an alternative to a universal 

20 identification system. See D. Chaum, Security Without 

Identification: Transaction Systems to Make Big Brother 
Obsolete . CACM (28,10), October 1985, pp. 1030-1044. Each 
such pseudonym is supposed to identify its owner to some 
institution and not be linkable across different 
25 institutions. The present invention is designed to provide 

certificates that are designed to be unlinkable both 
across institutions and across transactions within a 
single institution. In particular, the present invention 
prevents a vendor from linking transactions to a single 
30 customer, even if that customer had to identify itself 
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initially {e.g., during the registration process) . At the 
same time, the present invention advantageously allows the 
vendor to protect itself against customers that abuse the 
vendor ' s service . 

Another difference between the present invention and 
the prior art is the manner in which blinding is 
performed. In known systems, some mechanism is typically 
needed to assure either the issuing bank or receiving 
vendor that the certificate blindly signed by the issuer 
has the right form, i.e., that the customer has not 
tricked the signer into signing something inappropriate. 
The present invention advantageously eliminates this 
requirement by providing assurances in other parts of the 
system, simplifying the blinding scheme. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG 1 shows a flow chart illustrating an embodiment of the 
initialization method of the present invention. 
FIG 2 shows a flow chart illustrating an embodiment of the 
electronic transaction method of the present invention. 
FIG 3 shows a flow chart illustrating an embodiment of the 
audit method in accordance with the present invention. 
FIG 4 shows a flow chart illustrating an embodiment of the 
method for recovering from a broken connection in 
accordance with the present invention. 

FIG 5 shows an embodiment of the apparatus in accordance 
with the present invention. 

DETAILED DESCRIPTION 
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An embodiment of the registration method in 
accordance with the present invention is shown in FIG 1. 
A registrar receives an initialization request message 
that atomically binds authorization data with a blinded 
5 unvalidated certificate to be validated, step 101. In one 

embodiment of the present invention, the registrar is a 
vendor. In another embodiment, the registrar is a third 
party. 

An example of authorization data is a payment. 
10 Another example of authorization data is access permission 

(e.g., an access code, one-time password, etc.) An 
i.Q example of a blinded unvalidated certificate is a hashed 

u\ nonce combined with a blinding factor. 

The registrar determines if the authorization data is 
,= %I15 valid, step 102. If it is determined to be valid, then 

- : . the blinded unvalidated certificate is validated to obtain 

J^j a blinded validated certificate, step 103. For example, 

l=* the registrar signs the blinded unvalidated certificate to 

p validate it . The registrar party then sends an 

1=; 20 initialization response message that includes the blinded 

validated certificate atomically bound to the 
initialization request message, step 104. The 
initialization request message can be atomically bound to 
the initialization response message by including in both 
25 a secret encrypted session key that reliably identifies 

both messages as being bound to each other. 

An embodiment of the registration protocol is shown 
in the following exchange of messages: 
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Message 1: 



C->V: 



{ Payment , 



Kcv} , [Request 



for 



certificate of type S 



C, h(Nl) IKcv 



Message 2 : 



V- >C : 



f h(Nl) l s 



10 



;1s 



20 



The first message is from a customer with customer 
identifier C to a registrar, which in this embodiment is 
vendor V. The portion of the message in the brackets {} is 
confidential. For example, in one embodiment, the portion 
of the message in the brackets is encrypted. In another 
embodiment, the confidentiality of this portion of the 
message is protected by sending it over a secure path 
between C and V. The confidential portion of the message 
in this embodiment is a Payment and a "session key," Kcv. 
The Payment in one embodiment is electronic cash. In 
another embodiment it is a credit card number. Session 
key Kcv is used throughout a single protocol run (e.g., of 
registration, redemption, etc.), although it should be 
changing in a way that depends on the previous messages of 
that run. However, a session key from one transaction 
should be unrelated to the session key of any other 
transaction in order to prevent a set of transactions from 
being linked. It should be noted that a "run" or single 
transaction refer to an embodiment of a single instance of 
a method in accordance with the present invention. For 
example, a single run of an embodiment of a redemption 
transaction would involve: receiving a transaction request 
message that atomically binds an unblinded certificate and 
a blinded unvalidated certificate to be validated; 
determining if the unblinded certificate is valid; and if 
the unblinded certificate is valid, then performing a 
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transaction response that includes validating the blinded 
unvalidated certificate to obtain a validated blinded 
certificate; and sending the validated blinded certificate 
atomically bound to the transaction request message to a 
5 transaction response recipient in a transaction response 

message . 

The portions of the Messages in the braces [] is 
authenticated. That is, the recipient is provided with 
the means to ensure that the purported sender is the true 
10 sender. As shown above, the portion of the message in the 

braces is authenticated by signing it with the 
Uy cryptographic key secretly sent in the confidential 

hj portion of the message. The authenticated portion includes 

a request for a certificate for a particular type of 
'^15 service, S, the customer identifier, C, and a blinded 

hashed nonce H (Nl) . The nonce Nl is hashed so that, given 
]5I the hashed nonce h(Nl) , it is difficult to obtain the 

corresponding nonce, Nl, but given the nonce, Nl , it is 
O relatively straightforward to obtain the hashed nonce, 

,= ~20 h(Nl) . This is an advantageous property during the 

redemption process. In one embodiment, the registration 
process further includes an authenticated acknowledgment 
message : 

Message 3: C->V: [Ack] Kcv 

25 An embodiment of the redemption process in accordance 

with the present invention is shown in FIG 2. A first 
party (e.g., a customer) unblinds a validated blinded 
certificate, step 201. The blinded validated certificate 
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was validated either by a registrar as the result of a 
successful registration (see FIG 1, step 103) , or by a 
second party {e.g., a vendor) as the result of a 
successful earlier redemption. A transaction request 
message is received at the second party from a registered 
first party (e.g., a registered customer), step 202. The 
transaction request message atomically binds an unblinded 
certificate with a blinded unvalidated certificate to be 
validated. In one embodiment of the present invention, the 
blinded unvalidated certificate is a blinded hashed nonce. 
The second party determines if the unblinded certificate 
is valid, step 203 If the unblinded certificate is valid, 
then a transaction response is performed, step 204. 

An embodiment of the redemption process is shown in 
the following exchange of messages: 

Message 1: C->V: {[h(N(i))]s, Ni, Kcv} [Request for 

transaction of type S, h (N (i+1) ) 1 Kcv 

Message 2: V->C: [Approved] Kcv OR [Not 

Approved] Kcv 

Message 3: C<->V: [Transaction] Kcv 

Message 4: V->C: f h(N(i+l) ) 1 s 

In Message 1, a validated unblinded hashed nonce h(Ni) is 
sent with the nonce, Ni and key Kcv are sent 
confidentially from the customer C to the vendor V. Also 
sent is an authenticated request for a transaction of type 
S and an unvalidated blinded hashed (new) nonce, 
h(N(i+l)) . The vendor performs the one-way hash function 
on nonce Ni and compares the result to the validated 
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unblinded hashed nonce h(Ni) . If the two correspond, then 
the vendor determines that the validated unblinded hashed 
nonce is a valid certificate, sends an approval message in 
Message 2, and engages in the transaction in Message 3. 
5 Finally, the vendor validates the blinded hashed nonce of 

Message 1 and sends it to the customer. In one embodiment, 
the customer then sends an authenticated acknowledgment 
message upon receiving the validated blinded hashed nonce 
from the vendor: 

JO Message 5: C->V: [Ack] Kcv 

In one embodiment of the present invention, a 
transaction response includes validating the blinded 
unvalidated certificate to obtain a validated blinded 

15 certificate, and sending the validated blinded certificate 

atomically bound to the transaction request message to a 
transaction response recipient. A transaction response 
recipient can be the first party (e.g., customer) or 
another party. For example, in one embodiment, a 

20 transaction response is a gift sent to a third party. In 

another embodiment, a transaction response message is a 
control signal sent to a piece of factory equipment. In 
one embodiment, the present invention provides a way for 
anonymous monitoring of a piece of equipment. When the 

25 status of the equipment is desired by an authorized (i.e., 

registered) entity, the entity sends an unblinded 
validated certificate and blinded unvalidated certificate 
to the equipment, which sends back status data along with 
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a validated blinded certificate in accordance with the 
present invention. 

In a subscription service, the certificate exchange 
may be repeated each time the subscriber (the first party) 
5 purchases an installment of the subscription from the 

vendor (the second party) . An installment of the 
subscription can include the transmission of information 
that is sent each time a validated blinded certificate is 
sent to the subscriber. For example, the results of a 
10 database search can be sent each time a validated blinded 

certificate is sent to the subscriber. 
=0 In one embodiment of the present invention, audit 

%,\ data is included to help protect against fraud. The 

s f\ transaction request message atomically binds an unblinded 

'"'-45 certificate, a blinded unvalidated certificate to be 

K validated, and blinded audit data. Not every message is 

audited, so the blinding of the audit data protects the 
H privacy of the first party when no audit is performed. 

Q Audits are typically performed randomly in accordance 

;= 20 with the present invention. However, audits can also be 

triggered, for example, by unusual service activity that 
may indicate that a subscriber is sharing its certificates 
with other, non-paying parties. For example, an 
exceptionally high volume of traffic accessing a database 
25 or telephone service may indicate a heightened necessity 

for audits of transaction requests accessing the database 
or service. 

An embodiment of the audit method in accordance with 
the present invention is shown in FIG 3. During 
30 registration, the customer provides an audit secret to the 
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registrar, step 301. In this embodiment, the registrar is 
also the vendor. In another embodiment, the registrar is 
a third party. During the redemption process, every 
transaction request message from the customer includes a 
5 blinded version of the audit secret. Thus, the vendor 

receives a transaction request message with a blinded 
audit secret, step 302. Rather than sending an audit 
response message to the customer, the vendor sends an 
audit request message atomically bound to the transaction 
10 request message, step 3 03. The vendor receives an audit 

^ response message from the customer that includes audit 

•D response data, step 304. In one embodiment, the audit 

fjj .response data includes an audit secret and the audit 

Z\ blinding factor. As with the blinded certificate, the 

~~i5 audit blinding factor is combined with the audit secret in 

=; transaction requests to hide the audit secret from the 

vendor until an audit is initiated by the vendor. The 
f'" vendor determines if the transaction request message of 

13 step 302 is legitimate using the audit response data, step 

"20 3 05. In one embodiment, the transaction request message is 

legitimate if the audit secret combined with the blinding 
factor provided in the audit response message corresponds 
to the blinded audit secret received in the transaction 
request message of step 302. If the transaction message of 
25 step 302 is determined to be legitimate, step 306, then 

the vendor validates the blinded unvalidated certificate 
received from the customer in the transaction request 
message of step 302, step 307. The vendor then sends the 
validated blinded certificate to the customer, step 308. 
30 If the transaction request message of step 302 is 
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determined not to be legitimate, step 306, then in one 
embodiment, the customer's transaction is terminated, step 
309. That is, no certificate is validated and returned to 
the customer. 

5 An embodiment of the redemption process with audit 

features included in accordance with the present invention 
is shown in the following exchange of messages: 

Message 1: C->V: { [h (N ( i ) ) ] s , Ni , Kcv} [Request for 

transaction of type S, h (N ( i+1 ) ) . h{Ni, Audit_Secret , 
JO Salt)] Kcv 

CI Message 2: V->C: [Approved] Kcv OR [Not 

Uj Approved] Kcv OR [Audit] Kcv 

^\ Message 3: C< - >V : [Transaction] Kcv 

y Message 4: V- >C : f h(N(i+l) ) 1 s 

■5j5 The messages are the same as for the redemption protocol 

except for the following: First, a hashed combination of 
p the nonce Ni , audit secret Audit_Secret and Salt is 

included in Message 1. Salt is a random number that is a 
nonce. The purpose of Salt is explained below. Second, a 
20 response option has been added to Message 2, i.e., 

initiating an audit with an authenticated audit initiation 
message [Audit] Kcv. 

An embodiment of the audit process in accordance with 
the present invention is shown as follows: 
25 Message 1: C->V: {[h{N(i))]s, Ni, Kcv} [Request for 

transaction of type S, h (N (i+1) ) . h(Ni, Audit_Secret , 
Salt) ] Kcv 

Message 2: V->C: [Audit] Kcv 
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Message 3: C-> V: {C, Ni , Audit_Secret , Salt}Kcv 

Message 4: V->C: f H (N(i+1) 1 s OR [Not Approved] Kcv 



Message 1 is a transaction request with audit 
features. In message 2, the vendor V initiates an audit 
5 by sending an authenticated audit initiation message. The 

customer sends an audit response message to the vendor. 
The audit response message in this embodiment includes 
audit data comprising the customer identifier, C, the 
nonce Ni , an audit secret Audit_Secret , and Salt. The 
40 vendor in this embodiment is also the registrar, and so 

Cl has the Audit_Secret received from customer C during the 

registration process. First, the vendor compares the audit 
secret received in Message 3 with the audit secret 

"■ received from the customer in the customer' s registration 

15 message. These must correspond in order for the vendor to 

determine that Message 1 is legitimate. The vendor also 
hashes the audit secret, nonce and salt received in 
Message 3 and compares it to the hashed combination of the 
audit secret, nonce and Salt received in Message 1. These 

20 must also correspond so that the vendor knows that the 

audit secret provided by the customer in Message 3 is the 
same as the audit secret embedded in Message 1. If both of 
these correspondences are established, then the 
transaction response message (Message 1) is determined to 

25 be legitimate, and a validated blinded hash is sent to the 

customer in Message 4. In one embodiment of the present 
invention, an authenticated acknowledgment message is sent 
from the customer to the vendor when the customer receives 
Message 4 : 



1 52974:GSM:Goldschlag 1-7-1:11 2305 




21 Goldschlag 1-7-1 

Message 5: C->V: [Ack] Kcv 

The purpose of the Salt in the above messages is to 
protect the anonymity of the customer and the 
unlinkability of the customer's transactions based upon 
5 audit information. Without Salt, a vendor could associate 

a transaction request message with a customer's identity 
using h (Ni , Audit_Secret ) received in the transaction 
request message. Recall that when the vendor is the 
registrar, the vendor has a record of audit secrets 
!= J0 received during the registration process from customer, 

5O with each audit secret associated with a customer 

hj identifier. A vendor could hash the nonce Ni received in 

'*l a transaction request message with the audit secrets it 

"jf knows from registration until a match is found with the 

s; 15 audit data received in the transaction request message. 

]5i In order to prevent such an exhaustive search from 

?~ revealing a customer identity, nonce Salt is hashed with 

O the audit secret and nonce Ni in each transaction response 

message. Because Salt is a nonce, it changes from message 
20 to message, rendering the audit data in a transaction 

request message untraceable by the vendor. 

The audit features of the present invention 
advantageously deter the illicit sharing of certificates. 
A non-paying party is not likely to have the audit secret, 
25 which in one embodiment is a credit card number, or other 

valuable data for which the registered customer has a 
strong incentive to keep confidential. This provides a 
disincentive for sharing the data that is needed to pass 
an audit. Illicitly sharing a subscription also incurs a 
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risk of subscription termination, and is thereby further 
deterred by the present invention. 

The present invention terminates a series of 
transactions simply by not validating and returning an 
unvalidated blinded certificate as part of the last 
transaction . 

The present invention further provides for trusted 
recovery from a broken connection, or from some other 
interruption in the methods of the present invention. In 
one embodiment of the present invention, an interrupted 
protocol is replayed in its entirety (except for the 
actual transaction, which is always skipped) with the same 
session key, nonce and blinding factor. The present 

invention advantageously does not release any new 
information when a protocol is replayed. 

In one embodiment, broken protocols are considered to 
be automatically acknowledged after some predetermined 
period of time, after which the customer cannot recover 
from the break, and replay is not allowed. If a connection 
breaks after the receipt of a new validated blinded 
certificate has been acknowledged by the customer in the 
redemption protocol, then the customer can simply use the 
new certificate in the next transaction request . 

If the connection breaks before the customer has 
received the new validated blinded certificate in the 
redemption protocol, then the protocol is replayed. An 
embodiment of the trusted recovery protocol is shown in 
FIG 4 . The vendor stores the messages of each protocol run 
(one instance of Messages 1 through 4 of the redemption 
protocol above) , step 4 01 until the vendor receives an 
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acknowledgment message from the customer indicating that 
the customer has received the new certificate (Message 5 
in the redemption protocol) , or until the predetermined 
automatic acknowledgment time has elapsed, step 402. When 
5 the customer realizes the connection has been broken, step 

4 03, the customer replays the protocol run starting from 
the transaction request message (Message 1 of the 
redemption protocol}, step 404. The vendor identifies the 
presented certificate as already spent, and consults its 
10 recovery database (in which the protocol runs are stored) , 

step 405. If the recovery database indicates that no 
^ acknowledgment from the customer has been received, step 

IjJ 4 06, then the vendor returns the stored response, step 

407. As mentioned above, the transaction is skipped, but 
Jf5 the customer receives a new validated blinded certificate 

= ; _ to use in the next protocol run to engage in the 

g) transaction. Note that the customer does not identify 

5~ itself during recovery in accordance with the present 

y invention, advantageously protecting the customer's 

20 anonymity. 

One embodiment of the present invention provides a 
membership that charges a fee for some or all of the 
transactions with a customer. For example, in one 
embodiment, the vendor becomes a mint for simple, single 
25 denomination digital tokens. The digital tokens 

correspond to digital cash roughly as tokens in a game 
arcade correspond to cons. The vendor can bill for these 
tokens by credit card, or some other suitable mechanism. 
The customer spends previously purchased tokens 
30 during an electronic transaction in accordance with the 
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present invention. In one embodiment, the tokens are spent 
in a transaction request message, and the vendor does not 
send a validated, blinded certificate to the customer 
unless the payment in tokens is valid and sufficient. In 
5 another embodiment, a transaction request message includes 

a credit balance, which must be paid periodically. Using 
a credit balance may, however, allow a vendor to link 
transactions and even tie them to customers, since the 
credit balance increases raonotonically. 

10 In accordance with an embodiment of the present 

invention, a certificate presented by the customer 

i operates as a bearer authentication note that serves to 

=1 reliably identify a member of a particular group (e.g., 

:f! customers that have subscribed to a particular service) 

"-15 without compromising the group members' privacy. No 

certificate (bearer authentication note) can generally be 
linked by the vendor to any other, and so the transactions 
are anonymous . 

p Another embodiment of the present invention is used 

:= 20 for voting. In this embodiment, a voter registers and 

receives a validated, blinded certificate to cast in a 
vote. The registration process ensures, for example, that 
each voter is entitled to cast only one vote. In one 
embodiment, a different electronic destination is provided 
25 for each option for which the vote may be cast. The voter 

unblinds the validated, blinded voting certificate and 
sends it to the destination corresponding to the option 
for which the voter chooses to vote. In another 
embodiment, the voter indicates its choice in a 
30 certificate, blinds it, sends it to be certified, receives 
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it back, unblinds it, and sends it to an electronic 
destination. For example, in an election with two 
choices, an even random number (nonce) corresponds to the 
first choice, and an odd random number (nonce) corresponds 
5 to the second choice. The voter picks an odd or even 

nonce in accordance with the voter's choice, and votes in 
accordance with the present invention. This 
advantageously avoids having to designate different 
destinations for different votes. 
10 An embodiment of an apparatus in accordance with the 

present invention is shown in FIG 5. A server 501 includes 
<ti a processor 502 coupled to a memory 503 that stores 

y transaction instructions 504 that are adapted to be 

i°\ executed on processor 502. Server 501 further comprises a 

^5 port 505 that is adapted to be coupled to a network 506. 

■: Port 505 is coupled to processor 502 and memory 503 . A 

j3? client (e.g., a customer) 507 is also coupled to the 

f" network 5 06. 

O Examples of memory 503 include a hard disk, Read Only 

"20 Memory (ROM) , Random Access Memory (RAM) , a floppy disk, 

and any other medium capable of storing digital 

information . 

Transaction instructions 504 can be distributed in 
accordance with the present invention stored on a medium. 

25 Examples of a medium that store the transaction 

instructions adapted to be executed by processor 502 
include a hard disk, a floppy disk, a Compact Disk Read 
Only Memory (CD-ROM) , flash memory, and any other device 
that can store digital information. In one embodiment, 

30 the instructions are stored on the medium in a compressed 
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and/or encrypted format. As used herein, the phrase 
"adapted to be executed by a processor" is meant to 
encompass instructions stored in a compressed and/or 
encrypted format, as well as instructions that have to be 
5 compiled or installed by an installer before being 

executed by the processor. 

In one embodiment of the present invention, 
transaction instructions 504 are adapted to be executed by 
processor 502 to perform the steps of initializing a 
10 series of electronic transactions. For example, the 

= instructions are adapted to be executed by processor 502 

=fj to receive an initialization request message that 

ui atomically binds authorization data and a blinded 

unvalidated certificate to be validated; determine if the 
: '"~-l5 authorization data is valid; if the authorization data is 

valid, then to validate the blinded unvalidated 
12 certificate to obtain a blinded validated certificate; and 

H to send an initialization response message to a registrant 

p that includes the blinded validated certificate atomically 

"20 bound to the initialization request message. 

In another embodiment of the present invention, 
transaction instructions 504 are adapted to be executed by 
processor 502 to perform an electronic transaction, e.g., 
to receive a transaction request message that atomically 
25 binds an unblinded certificate and a blinded unvalidated 

certificate to be validated; determine if the unblinded 
certificate is valid; and if the unblinded certificate is 
valid, then to perform a transaction response that 
validates the blinded unvalidated certificate to obtain a 
30 validated blinded certificate, and sends the validated 
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blinded certificate atomically bound to the transaction 
request message to a transaction response recipient in a 
transaction response message. 

In yet another embodiment, transaction instructions 
504 are adapted to be executed by processor 502 to audit 
an electronic transaction, e.g., to receive a transaction 
request message that atomically binds an unblinded 
certificate and a blinded unvalidated certificate to be 
validated and blinded audit data; to send an audit request 
message atomically bound to the transaction request 
message to an audit recipient; to receive an audit 
response message atomically bound to the audit transaction 
message, where the audit response message includes audit 
response data; and to determine if the blinded audit data 
is valid using the audit response data. 

Yet another embodiment of the present invention 
includes transaction instructions 504 that are adapted to 
be executed by processor 502 to recover from an 
interruption in an electronic transaction in accordance 
with the method of the present invention. 

The present invention advantageously provides for 
anonymous, unlinkable electronic transactions that assure 
the vendor of payment while protecting the privacy of the 
customer . 
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What is claimed is: 



1 1. A method for initializing a series of electronic 

2 transactions, comprising the steps of: 

3 a. receiving an initialization request message that 

4 atomically binds 

5 i. authorization data, and 

6 ii . a blinded unvalidated certificate to be 

7 validated; 

8 b. determining if the authorization data is valid; 

9 c. if the authorization data is valid, then 

10 validating the blinded unvalidated certificate 

11 to obtain a blinded validated certificate; and 

12 d. sending an initialization response message to a 

13 registrant that includes the blinded validated 

14 certificate atomically bound to the 

15 initialization request message received in step 

16 a. 



1 2. The method of claim 1, further comprising the step of 

2 receiving a registration acknowledgment message from a 

3 registrant acknowledging that the registrant has received 

4 the initialization response message. 

1 3. The method of claim 1, wherein the initialization 

2 request message includes a nonce, a session key and a 

3 blinding factor applied to the nonce, and further 

4 comprising the step of storing the initialization request 

5 message and the initialization response message in a 

6 recovery database . 
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14. A method for recovering from an interruption in 

2 initializing an electronic transaction, comprising the 

3 steps of -. 

4 a. receiving a first initialization request message 

5 from a registrant that includes a nonce, a session key, 

6 and a blinding factor applied to the nonce, and that 

7 atomically binds 

8 i. authorization data, and 

9 ii. a blinded unvalidated certificate to be 

10 validated; 

11 b. storing the initialization request message in a 

12 recovery database; 

13 c. determining if the authorization data is valid; 

14 d. if the authorization data is valid, then 

15 validating the blinded unvalidated certificate 

16 to obtain a blinded validated certificate; 

17 e. sending a first initialization response message 

18 to a registrant that includes the blinded 

19 validated certificate atomically bound to the 

20 initialization request message received in step 

21 a; 

22 f. storing the first initialization response 

23 message in a recovery database; 

24 g. receiving a second initialization request 

25 message ; 

26 h. determining if the second initialization request 

27 message has the same nonce, session key, and 

28 blinding factor applied to the nonce as the 



152974:GSM:Goldschlag 1-7-1:1 12305 




30 Goldschlag 1-7-1 

29 first initialization request message stored in 

30 the recovery database; and 

31 i. if the second initialization request message 

32 has the same nonce, session key, and blinding 

33 factor applied to the nonce as the first 

34 initialization request message, then 

35 1. retrieving the first initialization 

36 response message from the recovery 

37 database; and 

38 2. sending the first initialization response 

39 message to the registrant. 

15. A method for performing an electronic transaction, 

2 comprising the steps of: 

3 a. receiving a transaction request message that 

4 atomically binds 

5 i . an unblinded certificate, and 

6 ii. a blinded unvalidated certificate to be 

7 validated; 

8 b. determining if the unblinded certificate is 

9 valid; and 

10 c. if the unblinded certificate is valid, then 

11 performing a transaction response that includes: 

12 i. validating the blinded unvalidated 

13 certificate to obtain a validated 

14 blinded certificate, and 

15 ii. sending the validated blinded 

16 certificate atomically bound to the 

17 transaction request message to a 
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18 transaction response recipient in a 

19 transaction response message. 



1 6. The method of claim 5, wherein the transaction 

2 response further includes making available a product to a 

3 party. 

1 7. The method of claim 5, wherein the transaction 

2 response further includes obtaining payment for a product. 



1 8. The method of claim 5, further comprising the step of 

2 receiving a transaction acknowledgment message from a 

3 registrant acknowledging that the transaction response 

4 recipient has received the transaction response message. 



1 9. The method of claim 5, further comprising the step of 

2 storing the transaction request message and the 

3 transaction response message in a recovery database. 



1 10. A method for recovering from an interruption in an 

2 electronic transaction, comprising the steps of: 

3 a. receiving a first transaction request message 

4 that includes a session key, a nonce and a 

5 blinding factor applied to the nonce, and that 

6 atomically binds 

7 i . an unblinded certificate, and 

8 ii. a blinded unvalidated certificate to be 

9 validated; 

10 b. storing the first transaction request message in 

11 a recovery database ; 
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12 c. determining if the unblinded certificate is 

13 valid; and 

14 d. if the unblinded certificate is valid, then 

15 performing a transaction response that includes 

16 i. validating the blinded unvalidated 

17 certificate to obtain a validated 

18 blinded certificate, 

19 ii. sending the validated blinded 

20 certificate atomically bound to the 

21 transaction request message to a 

22 transaction response recipient in a 

23 first transaction response message, 

24 and 

25 iii. storing the first transaction response 

26 message in a recovery database ; 

27 e. receiving a second transaction request message 

28 that includes a session key, a nonce and a 

29 blinding factor applied to the nonce, and that 

30 atomically binds 

31 i . an unblinded certificate, and 

32 ii. a blinded unvalidated certificate to be 

33 validated; 

34 f. determining if the second transaction request 

35 message has the same nonce, session key, and 

36 blinding factor applied to the nonce as the 

37 first transaction request message stored in the 

38 recovery database; and 

39 g. if the second transaction request message has 

40 the same nonce, session key, and blinding factor 
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41 applied to the nonce as the first transaction 

42 request message, then- 

43 i. retrieving the first transaction response 

44 message from the recovery database, and 

45 ii. sending the first transaction response 

46 message to the transaction response 

47 recipient . 

1 11. A method for auditing an electronic transaction, 

2 comprising the steps of : 

3 a. receiving a transaction request message that 

4 atomically binds 

5 i . an unblinded certificate, 

6 ii. a blinded unvalidated certificate to be 

7 validated, and 

8 iii. blinded audit data; 

9 b. sending an audit request message atomically 

10 bound to the transaction request message to an 

11 audit recipient; 

12 c. receiving an audit response message atomically 

13 bound to the audit transaction message, wherein 

14 the audit response message includes audit 

15 response data; 

16 d. determining if the blinded audit data is valid 

17 using the audit response data. 

1 12. The method of claim 11, wherein the audit response 

2 data is determined to be valid if 
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3 i . the audit response data corresponds to the 

4 blinded audit data received in the transaction 

5 request message, and 

6 ii. the audit response data is legitimate. 

1 13 . An apparatus for initializing a series of electronic 

2 transactions, comprising: 

3 a. a processor; and 

4 b. a memory that stores instructions adapted to be 

5 executed by said processor to, 

6 i. receive an initialization request message 

7 that atomically binds authorization data 

8 and a blinded unvalidated certificate to be 

9 validated; 

10 ii. determine if' the authorization data is 

11 valid; 

12 iii. if the authorization data is valid, then to 

13 validate the blinded unvalidated 

14 certificate to obtain a blinded validated 

15 certificate; and 

16 iv. send an initialization response message to 

17 a registrant that includes the blinded 

18 validated certificate atomically bound to 

19 the initialization request message, 

20 said memory coupled to said processor. 

1 14. The apparatus of claim 13, further comprising a port 



2 adapted to be coupled to a network, said port coupled to 

3 said memory and said processor. 
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1 15. An apparatus for performing an electronic 

2 transaction, comprising: 

3 a. a processor; and 

4 b. a memory that stores instructions adapted to be 

5 executed by a processor to 

6 i. receive a transaction request message that 

7 atomically binds an unblinded certificate 

8 and a blinded unvalidated certificate to be 

9 validated; 

10 ii. determine if the unblinded certificate is 

11 valid; and 

12 iii. if the unblinded certificate is valid, then 

13 to perform a transaction response that 

14 validates the blinded unvalidated 

15 certificate to obtain a validated blinded 

16 certificate, and sends the validated 

17 blinded certificate atomically bound to the 

18 transaction request message to a 

19 transaction response recipient in a 

20 transaction response message, 

21 said memory coupled to said processor. 

1 16. The apparatus of claim 15, further comprising a port 

2 adapted to be coupled to a network, said port coupled to 

3 said memory and said processor. 

1 17. An apparatus for auditing an electronic transaction, 

2 comprising: 

3 a. a processor; and 
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4 b. a memory that stores instructions adapted to be 

5 executed by said processor to 

6 i. receive a transaction request message that 

7 atomically binds an unblinded certificate 

8 and a blinded unvalidated certificate to be 

9 validated and blinded audit data; 

10 ii. send an audit request message atomically 

11 bound to the transaction request message to 

12 an audit recipient; 

13 iii. receive an audit response message 

14 atomically bound to the audit transaction 

15 message, where the audit response message 

16 includes audit response data; and 

17 iv. determine if the blinded audit data is 

18 valid using the audit response data, 

19 said memory coupled to said processor. 

1 18. The apparatus of claim 17, further comprising a port 

2 adapted to be coupled to a network, said port coupled to 

3 said processor and said memory. 

1 19. An apparatus for recovering from an interruption in 

2 an electronic transaction, comprising: 

3 a. a processor; and 

4 b. a memory that stores instructions adapted to be 

5 executed by said processor to 

6 i. receive a first transaction request message 

7 that includes a session key, a nonce and a 

8 blinding factor applied to the nonce, and 

9 that atomically binds an unblinded 
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10 certificate and a blinded unvalidated 

11 certificate to be validated; 

12 ii. store the first transaction request message 

13 in a recovery database ,- 

14 iii. determine if the unblinded certificate is 

15 valid; 

16 iv.. if the unblinded certificate is valid, then 

17 performing a transaction response that 
lg validates the blinded unvalidated 

19 certificate to obtain a validated blinded 

20 certificate, sends the validated blinded 

21 certificate atomically bound to the 

22 transaction request message to a 

23 transaction response recipient in a first 

24 transaction response message, and stores 

25 the first transaction response message in 

26 a recovery database; 

27 v. receive a second transaction request 

28 message that includes a session key, a 

29 nonce and a blinding factor applied to the 

30 nonce, and that atomically binds an 

31 unblinded certificate and a blinded 

32 unvalidated certificate to be validated; 

33 vi. determine if the second transaction request 

34 message has the same nonce, session key, 

35 and blinding factor applied to the nonce as 

36 the first transaction request message 

37 stored in the recovery database; 

38 vii. if the second transaction request message 

39 has the same nonce, session key, and 
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40 blinding factor applied to the nonce as the 

41 first transaction request message, then to 

42 retrieve the first transaction response 

43 message from the recovery database and send 

44 the first transaction response message to 

45 the transaction response recipient, 

46 said memory coupled to said processor. 

1 20. The apparatus of claim 19, further comprising a port 

2 adapted to be coupled to a network, said port coupled to 

3 said processor and said memory. 

1 21. A medium that stores instructions adapted to be 

2 executed by a processor to perform the steps of : 

3 a. receiving an initialization request message that 

4 atomically binds 

5 i. authorization data, and 

6 ii. a blinded unvalidated certificate to be 

7 validated; 

8 b. determining if the authorization data is valid; 

9 c. if the authorization data is valid, then 

10 validating the blinded unvalidated certificate 

11 to obtain a blinded validated certificate; and 

12 d. sending an initialization response message to a 

13 registrant that includes the blinded validated 

14 certificate atomically bound to the 

15 initialization request message received in step 

16 a. 
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1 22. A medium that stores instructions adapted to be 

2 executed by a processor to perform the steps of: 

3 a. receiving a transaction request message that 

4 atomically binds 

5 i. an unblinded certificate, and 

6 ii. a blinded unvalidated certificate to be 

7 validated; 

8 b. determining if the unblinded certificate is 

9 valid; and 

10 c. if the unblinded certificate is valid, then 

11 performing a transaction response that includes 

12 i. validating the blinded unvalidated 

13 certificate to obtain a validated blinded 

14 certificate, and 

15 ii. sending the validated blinded certificate 

16 atomically bound to the transaction request 

17 message to a transaction response recipient 

18 in a transaction response message. 

1 23. A medium that stores instructions adapted to be 

2 executed by a processor to perform the steps of: 

3 a. receiving a transaction request message that 

4 atomically binds 

5 i . an unblinded certificate, 

6 ii. a blinded unvalidated certificate to be 

7 validated, and 

8 iii. blinded audit data; 

9 b. sending an audit request message atomically 

10 bound to the transaction request message to an 

11 audit recipient ; 
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12 c. receiving an audit response message atomically 

13 bound to the audit transaction message, wherein 

14 the audit response message includes audit 

15 response data; 

16 d. determining if the blinded audit data is valid 

17 using the audit response data. 

1 24. A system for performing an electronic transaction, 

2 comprising: 

3 a. means for receiving a transaction request 

4 message that atomically binds 

5 i . an unblinded certificate, and 

6 ii. a blinded unvalidated certificate to be 

7 validated; 

8 b. means for determining if the unblinded 

9 certificate is valid; and 

10 c. means for validating the blinded unvalidated 

11 certificate to obtain a validated blinded 

12 certificate; and 

13 d. means for sending the validated blinded 

14 certificate atomically bound to the transaction 

15 request message to a transaction response 

16 recipient in a transaction response message. 

1 25. The system of claim 24, further comprising means for 

2 auditing an electronic transaction. 

1 26. The system of claim 24, further comprising means for 

2 initializing a series of electronic transactions. 
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1 27. The system of claim 24, further comprising means for 

2 recovering from an interruption in an electronic 

3 transaction. 
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ABSTRACT OF THE INVENTION 

A system and method for performing an electronic 
transaction, including registration, audit and trusted 



received from a registered user that includes an unblinded 
5 validated certificate, and a blinded unvalidated 
certificate. If the unblinded validated certificate is 
determined to be legitimate, then a transaction can be 
performed, and the blinded unvalidated certificate is 
validated to obtain a blinded, validated certificate that 
10 is sent to the user. An audit protocol can be used to 
further verify the legitimacy of the transaction request 
message, and a user can recover from a broken connection 
by replaying a protocol run. 



recovery features . 



A transaction request message is 
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IN THE UNITED STATES 
PATENT AND TRADEMARK OFFICE 

Declaration and Power of Attorney 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my 
name. 

I believe I am an original, first and joint inventor of the subject matter which is 
claimed and for which a patent is sought on the invention entitled System And Method 
For Electronic Transactions the specification of which was filed on February 19 1998 
as application Serial No. 09/025802. 

I hereby state that I have reviewed and understand the contents of the above 
identified specification, including the claims, as amended by an amendment, if any, 
specifically referred to in this oath or declaration. 

I acknowledge the duty to disclose all information known to me which is material to 
patentability as defined in Title 37, Code of Federal Regulations, 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, 1 19 of 
any foreign application(s) for patent or inventor's certificate listed below and have also 
identified below any foreign application for patent or inventor's certificate having a filing 
date before that of the application on which priority is claimed: 

None 

I hereby claim the benefit under Title 35, United States Code, 120 of any United 
States application(s) listed below and, insofar as the subject matter of each of the claims 
of this application is not disclosed in the prior United States application in the manner 
provided by the first paragraph of Title 35, United States Code, 112, 1 acknowledge the 
duty to disclose all information known to me to be material to patentability as defined in 
Title 37, Code of Federal Regulations, 1.56 which became available between the filing 
date of the prior application and the national or PCT international filing date of this 
application: 



None 



I hereby declare that all statements made herein of my own knowledge are true and 
that all statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the like 
so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 
of the United States Code and that such willful false statements may jeopardize the 
validity of the application or any patent issued thereon. 
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I hereby appoint the following attoraey(s) with full power of substitution and 
revocation, to prosecute said application, to make alterations and amendments therein, to 
receive the patent, and to transact all business in the Patent and Trademark Office 
connected therewith: 



Samuel H. Dworetsky 
Thomas A. Restaino 
Robert B. Levy 
Michele Conover 
Jose R. de la Rosa 
Barry H. Freedman 
Alfred G. Steinmetz 
Stephen M. Gurey 



(Reg. No. 27873) 
(Reg. No. 33444) 
(Reg. No. 28234) 
(Reg. No. 34962) 
(Reg. No. 34810) 
(Reg. No. 26166) 
(Reg. No. 22971) 
(Reg. No. 27336) 



Please address all correspondence to Mr. S. H. Dworetsky, AT&T Corp., 
P.O. Box 41 10, Middletown, New Jersey 07748. Telephone calls should be made to 
Samuel H. Dworetsky by dialing 973-360-8120. 



Full name of 1st joint inventor: David M. Goldschlag 
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Residence: Silver Spring, Montgomery County, Maryland 

Citizenship: United States of America 

Post Office Address: 1 1209 Bybee Street 

Silver Spring, Maryland 20902 
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Post Office Address: 4 Knox Lane 
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Citizenship: United States of America 
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